100% found this document useful (1 vote)
4K views17 pages

Complete Guide To "Commander Hack" For BF2

Complete guide to "Commander hack" for Battlefield 2: using T-Search and Ollydbg we find the pointers to DMA memory

Uploaded by

santapadella
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
4K views17 pages

Complete Guide To "Commander Hack" For BF2

Complete guide to "Commander hack" for Battlefield 2: using T-Search and Ollydbg we find the pointers to DMA memory

Uploaded by

santapadella
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

ELITE BLING PUBLISHING

A Complete Guide to the Commander


Hack
Table of Contents
Finding the Offsets for the Commander Hack........................... 1
Setting Up The Scene ..................................................................... 1
Searching for the Addresses........................................................... 2
Offsets for Supply and Artillery........................................................ 4
Creating a PB Proof Trainer ..................................................... 6
Static DMA Pointer (Static Base Pointer) ........................................ 6
From Static DMA to a Trainer ....................................................... 11
Concluding Thoughts ............................................................. 14
Credits & Closing Words ............................................................... 15
Chapter
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Finding the Offsets for the


Commander Hack
Every hack begins with a few offsets, and for the Commander
Hack, these are the ForceCommander, Supply, and Artillary.

T
o find the memory addresses for the commander hack we begin with simple
memory searchers such a TSearch or Cheat Engine. Memory searchers are
used to search the memory of a game’s process for certain values and then can
modify & set breakpoints on that memory address..

Setting Up The Scene


As most game hacking scenes go, we first need to start up BF2 Demo in windowed
mode. This can be done by going into the shortcut properties and altering the runtime
command of “+fullscreen 1” into “+fullscreen 0”.

1
© E L I T E B L I N G B A T T L E C O D E R S . C O M

This allows us to run BF2 and debug it at the same time without causing problems.
Once you have set the shortcut properties, proceed to run the game and TSearch. In
the BF2 Demo, navigate to Single Player and start a Gulf Of Oman single player game.

Searching for the Addresses


When the server has loaded, apply to be commander, and accept once the invitation
comes. Now when you accept the commander position a Boolean Value of 1 has been
written in your player’s profile (structure/class) in the game’s memory.

Now Alt-Tab back to TSearch and Click Open Process, and Select the BF2.exe which
is our game. Once its attached click the little magnifying glass “Init
New Search” and search for the Exact Value 1 with the type set to
as Bytes. You will get millions of results.

2
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Next, head back to BF2 and resign from commander position. Now, the memory
address for commander would have changed back to 0. So head back to TSearch and
use the “Search Next” to search which of the found values has changed to 0. Then
head back and apply for commander. Keep doing this back and forth until you end up
the a few values.

So after a few turns of applying and resigning, I got down to 17 memory addresses.,
and they would all change when apply/resigning for commander.

Now add all 17 addresses to the table to the right of the search window by clicking the
Add All searches Icon. Now in the table, go through each of the seventeen addresses
one by one, changing it to 1 and watching the BF2 Screen to see if you become
commander. Most of them will revert back to 0, but the correct address will stay 1 and
make you commander at the same time. This is the address we want!.

Note

This address we found is Dynamic, meaning that it changes every time


we restart the game, or every time we switch servers. The term for this
Dynamic ability is DMA. So to make a commander hack one of the
obstacles we need to overcome this DMA.

At this point, we need to set a Memory Breakpoint on that address to see what code
accesses it. To do this in TSearch click AutoHack -> Enable Debugger.

3
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Note

It is at this point where you have to do things a little differently


from the Retail Version. In the Retail Version of BF2, because of
SafeDisc, the game is continually Debugging itself, and therefore
we are not able to attach a debugger (fortunately SafeDisc is not in
the Demo). Getting past this debug obstacle is called “Resetting
the Debug Port”. There are several tutorials on how to do this. Just
view my tutorial for “Steal DMA”

Once you’ve clicked “Enable Debugger” go back to the address which you found
controlled the ForceCommander, right click on it, and click “AutoHack”. Now go
back to the game and apply/resign for commander. After this back in TSearch, go to
AutoHack Menu Item -> AutoHack Window.

Now you should have the OFFSET which writes to that address which decides if we
are commander or not. The cool thing about this offset is that it is constant for
everyone (within that particular version).

At this point a simple trainer would make

Forever making us commander. The only problem with this is BF2.exe (where these
modifications are taking place) is completely scanned, so the slightly modification will
be detected and a corrupt memory kick will take place. A method to bypass that will be
discussed further on.

The point of the whole hack is to write 1 to that particular address, to force
commander. Now on to Supplies and Artillery.

Offsets for Supply and Artillery

The procedure for getting to the offsets which control the Supply and Artillery bars in
the Commander View is very similar to the procedure for the ForceCommander.
There is only one difference!

When the Artillery Bar is filled, the memory value is 0. When it is reloading, the
memory value is 1. The same is true for Supplies as well.

So the procedure for these two utilities will go something like dropping a supply crate,
pausing the game, and searching for 1. Then once its filled, Searching Next for 0. Then

4
© E L I T E B L I N G B A T T L E C O D E R S . C O M

drop and search next for 1. And keep doing this until you get to a few addresses. Next
drop a supply crate and change all the 1s to 0s and see which one immediately refills
the supply bar.

Use the AutoHack procedure on that memory address and you will find the offset
which controls supply. (And the same for Artillery).

The Offsets which I got were:

Supply - 00754D01 C640 54 01 MOV BYTE PTR DS:[EAX+54],1

Artillery - 0072E378 C646 3C 01 MOV BYTE PTR DS:[ESI+3C],1

Note

So once again, moving 1 to the address “unfills” the bar so our goal
is to write a 0 to the address. And since I’m sure most people here
want one for v1.4, the same searching method and be used for
vehicle drops aswell.

5
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Chapter

Creating a PB Proof
Trainer
This is the more difficult part of this tutorial, and requires that
you have some knowledge of debugging and using tools like
OllyDBG. Also the ability to implement APIs in programming
language is very important..

Static DMA Pointer (Static Base Pointer)

Explained to everyone by SINE, this method is probably the best (and easiest) to make
a undetected commander hack. Basically it relies on the fact that BF2 was created in
VC++ under very organized hierarchy of classes and structures. Therefore we can get
the DMA of the ForceCommander/Supply/Arty by just reading a few specific bytes of
the memory and without having to inject code caves or anything else.

The simplistic explanation of Static DMA (the way SINE explained it), is basically this.
When we have a DMA address such as [esi + 0x108], the reason its dynamic is
because ESI is dynamic. So we need to keep tracing ESI to a point where it is no
longer dynamic. Read further on if you don’t understand this at the moment.

For the Static DMA Method, you will require OllyDBG and the offsets for DMA you
are trying to hack (e.g. ForceCommander).

So lets go back to our offset for ForceCommander.

4C02B3 mov [esi+0x108],al

Run BF2 and get a single player game started. Then Start up OllyDBG then go to File-
>Attach and attach to the BF2.exe process. At this point Olly will automatically pause
the process for us at some ntdll. To go back to the BF2, go to View->Executable
Modules and double-click the BF2 Module. Hit [Ctrl] + G and type in the offset.

6
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Now set a breakpoint on that address by pressing F2.

With the breakpoint having been set, head back to the game and apply for commander.
When you accept the position, the game should get stuck because Olly has paused the
game at the breakpoint. Now as stated before, to get a Static DMA Pointer, we need to
find what sets the value of ESI since it is that register which causes the address to be
dynamic.

So scroll up from the address until you find a command which sets ESI.

7
© E L I T E B L I N G B A T T L E C O D E R S . C O M

So the problem now is what sets ECX, since ECX doesn’t seem to be Static. To see
what sets ECX, we need to see the parameters of this function when it was called
because there is nothing else in this function which control ECX. Therefore to see
what code called this function, we need to refer to the Stack, the small window on the
bottom right corner of Olly.

In Computer Arch. When you call a function, the computer knows where to return by
pushing the return address into the stack. So using these return addresses we can
determine which function were called and under what parameters. So I followed the
first Return and got this function.

The INT3’s are like empty spaces between the functions and tell us where one function
ends and the other starts (for the most part). So back to our whole point of finding
what sets ECX, in this function we find again that none of the commands here modify
ECX, so we need to go back another function. So go back to the Stack and try the
second “Return to”

When we try the second Return To, we get more promising results

8
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Ok a lot of information here. We finally see what sets ECX, it is the ASM command;

004AF8F0 8BCB MOV ECX,EBX

So our next question is what sets EBX. Looking further up the code, we see that EAX
sets EBX

004AF8B7 8BD8 MOV EBX,EAX

And what sets EAX, well it looks like DWORD PTR [ECX] which means the
memory pointer by ECX.

004AF8B0 8B01 MOV EAX,DWORD PTR DS:[ECX]

And finally what sets ECX!

9
© E L I T E B L I N G B A T T L E C O D E R S . C O M

004AF8A7 8B0D FCC59500 MOV ECX,DWORD PTR DS:[95C5FC]

That 95C5FC is a Static Address. So now we have a static pointer. There is one snag
to this though. Do u see that “Sneaky Function” I pointed out. Well that function
actually modifies one of the pointers, the EAX.

This “Sneaky Function” is actually very complicated. This is because the offset I had
originally picked was very bad to use and made our process very complicated. (It seems
in hindsight that the only calls to this function are when you become commander,
when usually the ForceCommander offset is constantly called, this should have warned
me).

10
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Usually its not this complicated, and since I don’t want to rewrite the
tutorial, nor do I want to confuse the beginners. I will pretend that that
change to EAX never takes place. So simply, this code that I am going to
explain will not work on the demo, it is only to learn the mechanics. But
trust me, in other versions tracing is not that complicated.

From Static DMA to a Trainer

I will be showing you how this is done in C++. First we need to declare some
DWORD which we will read the static stuff into.

DWORD dwBuffer1;

DWORD dwUtilityBase;

DWORD dwLeaderBase;

DWORD dwForceCommander;

DWORD dwSupply;

DWORD dwArtillery;

So the first thing we need to do is read from the static address of 95C5FC.

004AF8A7 8B0D FCC59500 MOV ECX,DWORD PTR DS:[95C5FC]

<< Translates to >>

ReadProcessMemory(hand, (void*)0x95C5FC, &dwBuffer1,sizeof(dwBuffer1),&bytes);

Following the chain, next we need to do another Read from the ECX Pointer which
we stored in dwBuffer1.

11
© E L I T E B L I N G B A T T L E C O D E R S . C O M

004AF8B0 8B01 MOV EAX,DWORD PTR DS:[ECX]

<< Translates to >>

ReadProcessMemory(hand,(void*)(dwBuffer1),&dwLeaderBase,sizeof(dwLeaderBase),&b
ytes);

Now if we look at the rest of the instructions, they just move addresses from one
register to another, without any reading or writing.. It is only at the end that we write to
a different memory address, and that is the memory at [ESI + 0x108].

4C02B3 mov [ESI+0x108],al

<< Translates to >>

dwForceCommander = dwLeaderBase + 0x108;

ReadProcessMemory(hand,(void*)(dwForceCommander),&dwLeaderBase,sizeof(dwLead
erBase),&bytes);

The reason why I made dwForceCommander a separate DWORD is because it makes


it easier to write to different mem. addresses when having one base address.

The Central Dogma of DMA is that even though the actual memory
addresses of Supply or Artillery may change, the difference (Supply Mem
.Address – Artillery Mem. Address) is always constant.. Therefore if we are
able to calculate one memory address, we can then just add/subtract to get
the others.

So for example, once we get the base address for supply/arty. We can calculate the
others by adding these constants.

dwSupply= dwUtilityBase + 0x54;

dwArtillery = dwUtilityBase + 0x3c;

12
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Now to finish the ForceCommander hack, we need to write the byte value 1 to the
force commander address continually! This is because the server will constantly
update with the client and set that we are not commander. So we put the
WriteProcessMemory in a timer loop to continuously write 1 to that memory address
so our client keeps thinking we are the commander.

TimerLoop {

static BYTE one[1] = {0x01};

WriteProcessMemory(hand,(void*)(dwForceCommander),&one,1,&bytes);

We can do the same for Supply and Artillery (once you have calculated the static
DMA’s, I will leave this up to you), but remember we need to write 0 to fill the bar.

static BYTE zero[1] = {0x00};

WriteProcessMemory(hand,(void*)(dwCommander2),&zero,1,&bytes);

WriteProcessMemory(hand,(void*)(dwCommander3),&zero,1,&bytes);

And there you have it, a working commander hack (note this is really not working since
I skipped one static DMA step, but if you did it via another offset it will be working).

13
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Chapter

Concluding Thoughts
So that’s about it for this tutorial, please do post any things you want me to add. These
are the steps use off the top of my head, but I may have forgotten something.

So once again, I’m sorry for not having the whole offset thing work out, I would go
back to correct it, but then I will have to take new screenshots and everything.,
hopefully you will understand the mechanics behind static DMA. Here is the good
Offset for the demo which I used in my trainer.

COMMANDER

004C01B0 8A81 08010000 MOV AL,BYTE PTR DS:[ECX+108]

It gets traced back like this…

004C01B0 8A81 08010000 MOV AL,BYTE PTR DS:[ECX+108]

006F18B6 |. 8BCB MOV ECX,EBX

006F1876 |. 8BD8 MOV EBX,EAX

005E2120 > 8B41 60 MOV EAX,DWORD PTR DS:[ECX+60]

006F1867 |. 8B0D FCC59500 MOV ECX,DWORD PTR DS:[95C5FC]

14
© E L I T E B L I N G B A T T L E C O D E R S . C O M

Credits & Closing Words


Big thanks to SINE for explaining the static base pointers method. I highly
recommend you read his explanation because mine is really just a summary of his.

http://www.mpcforum.com/showthread.php?t=144780. Definitely read it. I’d also


like to thank Sparten for originally releasing the Commander Hack Offsets and Dubbls
for making the first public Commander Hack (which got shut down). It was this
Commander Hack which got me into the world of Game Hacking.

So this tutorial is for educational purposes only, I don’t want it to harm anyone
and if you use it maliciously it is your fault, not mine. I’d like to thank EA
Games and DICE for making such an excellent game which I have spent many
countless hours playing and enjoying, and now I’m off to buy Battlefield 2142.

15

You might also like